Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Discovery & Banking Network Impact (35-40 min)
Opening Scenario:
It’s the last business day of the month at Community First Bank, and all 45 branch locations are processing peak transaction volumes. Regional Director Janet Foster is reviewing month-end reports when her phone starts ringing with calls from multiple branch managers.
“The USB drives for our daily audit procedures are acting strange,” reports the downtown branch manager. “Files are appearing that look like folders - ‘Audit_Data’, ‘Transaction_Reconciliation’ - but they don’t open. And the systems are slower after we use the drives.”
As Janet starts investigating, similar reports flood in from branches across the region. The USB drives used for routine transaction reconciliation and audit compliance - drives that rotate between branches on a weekly schedule - are spreading infection faster than anyone realized was possible.
IT Security Manager Carlos Martinez convenes an emergency response team: “If this malware is spreading through our audit USB drives, and those drives visit multiple branches every week, we could have network-wide contamination within days. And month-end processing can’t afford any delays.”
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- USB drive forensics reveal Raspberry Robin worm creating malicious LNK files disguised as legitimate banking data folders
- Malware propagates automatically when USB drives are inserted - requires no user interaction beyond normal audit procedures
- Timeline analysis shows initial infection likely introduced 7-10 days ago, spreading through weekly USB rotation cycles
- Memory forensics reveal worm attempts to establish persistence and external network connectivity from banking systems
Protector-focused investigations:
- Banking network architecture review shows USB drives are essential for audit compliance and branch-to-regional data transfers
- Security assessment reveals traditional network protections don’t detect or prevent USB-based propagation
- Customer account database security analysis shows USB drives have access for backup and reconciliation procedures
- Branch security posture varies significantly - some locations have USB controls, many do not
Tracker-focused investigations:
- USB device rotation tracking shows systematic propagation pattern: drives visit 4-5 branches per week
- Banking workflow analysis reveals 200+ USB insertions daily across 45-branch network for audit and reconciliation
- Network monitoring detects attempted external connections from infected systems (mostly blocked by firewalls)
- Evidence of USB drives moving between customer account systems, transaction processing, and administrative networks
Communicator-focused investigations:
- Branch manager interviews reveal USB audit procedures are federally mandated for banking compliance
- Operations staff report USB drives are shared between branches to reduce costs - “We have 30 USB drives for 45 branches”
- Compliance officer notes USB drives used for audit also transfer customer data for regulatory reporting
- Customer-facing staff unaware of USB malware but concerned about any system disruptions affecting account access
Key NPCs and Interactions:
Janet Foster (Regional Director):
- Responsible for operations across 45 branch locations and 1,200 employees
- Under pressure from bank executives to maintain month-end processing and customer service
- Balancing security response with banking operational requirements and regulatory compliance
- Perspective: “We have federal audit deadlines, month-end reconciliation requirements, and 125,000 customers depending on accurate account information. Tell me how we fix this security problem without disrupting the banking operations those customers rely on.”
Carlos Martinez (IT Security Manager):
- Banking IT background but facing unprecedented multi-branch USB propagation scenario
- Discovering that distributed branch network creates unique containment challenges
- Frustrated by USB dependency in federally mandated audit procedures
- Reality check: “I can implement USB controls at headquarters in a day. But coordinating security changes across 45 branches with different systems, staff, and operational constraints? That’s weeks of work. And this malware is spreading right now.”
Diana Chen (Branch Operations Manager):
- Manages daily operations and audit compliance across branch network
- Caught between IT security requirements and banking operational necessities
- Expert on banking workflows but unfamiliar with cybersecurity incident response
- Conflict point: “You want to disable USB? Our audit procedures are federally mandated - we can’t just stop doing them because of malware. The banking examiners will shut us down for non-compliance before cybersecurity does.”
Robert Kim (Compliance Officer):
- Responsible for federal banking regulatory compliance and customer data protection
- Must assess breach notification requirements under federal banking regulations
- Concerned about reputational damage and customer trust impact
- Pressure point: “If customer account data was accessed by malware, we have 24 hours to notify federal regulators and 30 days to notify affected customers. This triggers a compliance cascade with serious regulatory and reputational consequences.”
Round 1 Pressure Events:
These occur during the 35-40 minute investigation period, building tension:
- 15 minutes in: Branch manager reports customer account discrepancy discovered during reconciliation. USB malware may have corrupted transaction data. “We can’t verify if this is malware impact or normal error until we clean the systems.”
- 25 minutes in: Carlos discovers infected USB drives accessed customer account databases. Robert must assess if personal information (names, addresses, SSNs) or just account numbers were exposed. “This could trigger federal breach notification requirements.”
- 30 minutes in: Federal banking examiner’s routine call: “We’re scheduling our quarterly review next week. We’ll be examining your audit compliance and cybersecurity program. Any incidents we should be aware of?” Decision: disclose now or after remediation?
Round 1 Conclusion:
After investigations, the team should understand they’re facing multi-branch USB worm propagation through essential banking audit workflows, affecting customer account systems across distributed branch network, during critical month-end processing when regulatory compliance is paramount. Janet asks: “Based on what you’ve discovered, what’s your response strategy that protects our customers, maintains banking operations, and satisfies federal regulators?”
Round 2: Response Strategy & Federal Regulatory Pressure (35-40 min)
Situation Development:
The team’s initial response strategy meets the complex reality of distributed banking operations. If they chose USB shutdown, branches cannot complete federally required audits. If they implemented monitoring, worm propagation continues through shared USB drives. If they focused on isolation, customer data exposure expands to additional branches.
More critically, federal regulatory requirements and customer data protection obligations transform technical incident to compliance crisis.
Opening:
External threat intelligence from FS-ISAC: Raspberry Robin infections at financial institutions over the past year have led to follow-on ransomware attacks (LockBit, BianLian targeting banking systems) and data exfiltration for account fraud operations. “USB worm is initial access for sophisticated financial crime. Your customer account data is the ultimate target, and you’re in the threat actors’ pipeline.”
Simultaneously, Robert Kim completes customer data breach assessment: infected USB drives accessed account databases at 35 branches containing personal information (names, addresses, phone numbers, account numbers, transaction histories) for approximately 125,000 customers. “Under federal banking regulations - GLBA, state breach notification laws - we must notify regulators within 24 hours and customers within 30 days if unauthorized access occurred. The clock started when we discovered the compromise.”
Diana reports banking operations pressure: “Month-end reconciliation deadline is tomorrow. Without USB drives for audit data transfers, we’ll fail federal compliance requirements. Banking examiners will impose penalties for non-compliant audit procedures - potentially more severe than cybersecurity issues.”
Federal banking examiner calls: “We received automated alert from your systems about unusual activity. We need incident briefing including customer impact, remediation timeline, and notification procedures. Can you provide that today?”
Team Action: Each player takes 2 actions to develop comprehensive response strategy, considering:
- Customer data protection and breach notification compliance
- Banking operational continuity and federal audit requirements
- Multi-branch security coordination and USB malware containment
- Federal regulatory relationship management and examiner oversight
Response Options and Consequences:
Comprehensive Multi-Branch Remediation:
- Implementation: Complete USB worm removal across all 45 branches with federal forensics support, implement enterprise USB security controls for banking environment, conduct thorough customer data breach assessment with external legal guidance, coordinate federal regulatory notifications and customer breach letters
- Immediate Effects: Extended remediation disrupts banking operations (2-3 weeks), fails month-end audit compliance triggering regulatory penalties, customer breach notification creates account closure risk, federal forensics and legal costs $300K+
- Outcome: Complete USB worm elimination protects customer data long-term, definitive breach determination supports regulatory compliance, demonstrates commitment to banking security, federal examiners note thoroughness despite operational impact
- Learning: Shows comprehensive security prioritization and resulting business/compliance consequences, value of external forensics in financial breach assessment
Customer Protection Prioritized Approach:
- Implementation: Immediate remediation of customer-facing systems and account databases across all branches, establish sanitized USB workflow for critical month-end operations, implement real-time USB monitoring, conduct targeted breach assessment for confirmed customer data exposure
- Immediate Effects: Maintains customer account security and month-end processing capability, reduces operational disruption through prioritization, balances security with banking mission
- Outcome: Customer data systems protected but administrative infrastructure may remain infected risking follow-on attacks, breach assessment may be incomplete requiring extended investigation, demonstrates customer-centric response approach
- Learning: Illustrates banking risk prioritization and tradeoffs between comprehensive security and customer service continuity
FS-ISAC Collaboration & Federal Coordination:
- Implementation: Engage FS-ISAC for Raspberry Robin banking intelligence sharing, coordinate with core banking vendors (Fiserv, Jack Henry) for remediation guidance, maintain transparent communication with federal examiners about incident response and timeline
- Immediate Effects: Leverages financial sector expertise on USB worm banking impacts, vendor collaboration provides industry-specific remediation paths, federal examiner transparency demonstrates mature regulatory relationship
- Outcome: Improved response quality through sector knowledge sharing, potential examiner accommodation based on proactive communication, demonstrates financial industry cybersecurity collaboration
- Learning: Shows value of FS-ISAC and banking sector partnerships, importance of federal regulatory relationship management during incidents
Phased Branch Recovery with Customer Communication:
- Implementation: Phase response by branch criticality and infection status, start with highest customer volume branches, roll out USB security controls progressively, conduct staged customer breach assessment as branches are cleaned, coordinate customer communication strategy with marketing and legal
- Immediate Effects: Minimizes overall banking disruption through staged approach, allows continued operations at clean branches, demonstrates thoughtful customer impact management
- Outcome: Extended remediation timeline (4 weeks) keeps some branches vulnerable to follow-on attacks longer, progressive breach assessment complicates federal notification, shows sophisticated multi-branch incident response
- Learning: Demonstrates phased incident response in distributed banking environment, customer communication challenges in partial breach scenarios
Emergency Federal Notification with Minimal Details:
- Implementation: Immediately notify federal regulators of potential customer data compromise with preliminary assessment, request extended investigation timeline, implement maximum-effort USB remediation while forensic investigation continues, delay customer notification until definitive breach determination
- Immediate Effects: Satisfies 24-hour federal notification requirement with limited information, buys time for thorough investigation, maintains regulatory compliance under uncertainty
- Outcome: Federal examiners may scrutinize preliminary notification quality, extended customer notification timeline creates uncertainty, demonstrates prioritization of regulatory compliance over operational concerns
- Learning: Shows federal regulatory notification strategies under incomplete information, challenges of breach determination with sophisticated malware
Round 2 Pressure Events:
Building tension during response implementation:
- 15 minutes in: Core banking system vendor reports USB remediation on transaction processing systems requires coordination with their technical support - 48-hour minimum timeline per branch for vendor-assisted clean-up. “We need to ensure customer data integrity after malware removal.”
- 25 minutes in: FS-ISAC shares intelligence: Bank in neighboring state experienced LockBit ransomware 5 weeks after Raspberry Robin infection. Customer account backup systems were primary target. “Your backup infrastructure is likely being probed right now.”
- 30 minutes in: Customer data forensics preliminary finding: Evidence suggests customer information was accessed but no definitive proof of exfiltration yet. “We need 7-10 days for complete analysis to determine if data left your network.” Federal notification timeline is 24 hours with incomplete information.
- 35 minutes in: Local media reports: “Sources indicate Community First Bank experiencing cybersecurity incident affecting customer accounts.” Customers calling branches demanding information. Marketing/PR crisis developing alongside technical incident.
Round 2 Conclusion:
Regardless of chosen approach, the team is managing intersecting banking challenges: customer data protection (federal regulatory requirement), operational continuity (month-end processing and audit compliance), multi-branch coordination (45 distributed locations), regulatory oversight (federal examiner involvement), and reputation management (customer trust and media attention). The incident has evolved from USB malware to comprehensive banking crisis requiring integration of security, compliance, operations, customer service, and regulatory relationship management. Janet states: “We need your recommendations. 125,000 customers, 1,200 employees, and federal banking regulators are all depending on us to make the right call.”
Round 3: Resolution & Financial Sector Security Lessons (35-40 min)
Final Situation:
Two weeks after initial discovery, the USB worm response is reaching conclusion. Depending on the team’s Round 2 response strategy:
If comprehensive remediation: All 45 branches cleaned of Raspberry Robin infection. Federal forensics determined customer data was accessed but no evidence of exfiltration. Breach notification sent to 125,000 customers and federal regulators. USB security controls implemented across banking network. No follow-on attacks occurred.
However, month-end audit compliance was failed, resulting in $150K regulatory penalties. Customer breach notification resulted in 3% account closure rate (3,750 customers, $45M deposits). Federal forensics and incident response costs totaled $350K. Some branches operated with reduced capabilities for 2 weeks. Federal examiners increased oversight intensity for next 12 months.
If customer protection prioritized: Customer-facing systems successfully protected throughout incident. Month-end processing completed maintaining audit compliance. However, administrative systems experienced follow-on attack 4 weeks later - attempted LockBit ransomware deployment (contained but required additional response). Customer breach assessment extended to 6 weeks creating notification timeline concerns with regulators.
The prioritization saved customer relationships and maintained banking operations but left security gaps risking additional incidents. Federal examiners questioned incomplete remediation approach.
If FS-ISAC collaboration: Financial sector intelligence sharing yielded valuable Raspberry Robin banking-specific remediation guidance. Core banking vendor support accelerated response by 40%. Federal examiner transparency resulted in accommodation for extended investigation before customer notification. Collaborative approach improved response quality.
External coordination costs $200K but preserved customer trust through managed communication. FS-ISAC participation strengthened industry reputation. Federal examiner relationship enhanced through proactive transparency.
If phased recovery: Staged remediation successfully balanced customer service with security restoration across 45 branches. High-volume branches remediated first minimizing customer impact. Month-end processing maintained through phased approach. Customer breach notification based on progressive assessment communicated confidence in thorough investigation.
Extended 4-week timeline kept some branches vulnerable but enabled continued banking operations. Federal examiners appreciated methodical approach but questioned vulnerability window. Demonstrated sophisticated multi-branch incident response.
If emergency federal notification: Preliminary notification satisfied 24-hour regulatory requirement. Extended investigation timeline revealed partial customer data exposure requiring notification to 85,000 customers (vs initial 125,000 estimate). Federal examiners accepted investigation rationale but scrutinized preliminary notification accuracy.
Customer notification delay created PR challenges when local media reported incident before official bank communication. Marketing/customer service challenges required significant damage control efforts.
Team Action - Part 1: Incident Closure (15-20 min):
Each player takes 1-2 actions to: - Complete any remaining technical remediation or validation - Finalize customer breach notification and federal regulatory reporting - Document lessons learned for banking security improvement - Present recommendations to bank executive leadership for USB security architecture
Team Action - Part 2: Financial Sector Security Learning (15-20 min):
The IM facilitates group discussion on banking cybersecurity lessons:
Facilitation Questions:
- “What makes financial sector cybersecurity different from other industries?”
- Guide toward: Customer data protection primacy, federal regulatory compliance, operational continuity requirements, distributed branch networks, reputation/trust sensitivity
- “How do USB-based threats challenge distributed banking networks?”
- Guide toward: Multi-branch propagation through shared devices, audit compliance creating USB dependency, branch coordination complexity, physical media bypassing network security
- “What role does federal regulatory compliance play in banking cybersecurity?”
- Guide toward: Strict notification timelines (24 hours to regulators, 30 days to customers), examiner oversight, audit requirements, GLBA and state breach laws, regulatory relationship management
- “How should banks balance security and operational continuity?”
- Guide toward: Customer service priorities, month-end processing requirements, audit compliance obligations, risk-based prioritization, branch coordination
- “What partnerships and resources are valuable for financial cybersecurity?”
- Guide toward: FS-ISAC threat intelligence, core banking vendors, federal banking agencies (FDIC, OCC, Federal Reserve), legal counsel, forensics firms
- “How have USB threats evolved in financial services, and what does the future look like?”
- Guide toward: USB as initial access for financial fraud and ransomware, supply chain USB compromise, BadUSB and firmware attacks, zero-trust approaches to removable media in banking
Victory Conditions Assessment:
Technical Success:
Business Success:
Learning Success:
Final Debrief Topics:
Financial Sector Security Challenges:
- Customer data protection is paramount in banking cybersecurity decisions
- Federal regulatory compliance creates strict timelines and oversight requirements
- Distributed branch networks create unique coordination and containment challenges
- Banking operational continuity (month-end processing, audit compliance) constrains security response
USB Threat Landscape in Banking:
- Raspberry Robin demonstrates USB worm evolution to initial access for financial crime
- Multi-branch networks enable rapid USB propagation through shared devices and workflows
- Audit compliance creates USB dependency that’s difficult to restrict
- Supply chain and vendor USB introduces risks beyond organizational control
Banking Incident Response:
- Requires integration of security, compliance, operations, customer service, and regulatory relationship management
- Federal regulatory notification obligations must be balanced with investigation thoroughness
- Customer communication and trust management critical during breach scenarios
- External support (FS-ISAC, vendors, forensics, legal) provides specialized financial sector capabilities
Regulatory and Compliance:
- 24-hour federal notification requirement forces decisions with incomplete information
- 30-day customer notification timeline requires rapid breach determination
- Federal examiner relationships built through transparency and proactive communication
- Audit compliance failures can result in regulatory penalties alongside cybersecurity consequences
Future Considerations:
- Zero-trust approaches to removable media in banking environments
- Multi-branch security architecture with centralized visibility and distributed implementation
- FS-ISAC participation and financial sector threat intelligence sharing
- Customer communication strategies for cyber incidents balancing transparency and trust
Round 3 Conclusion:
Janet addresses the team: “You’ve navigated the unique challenge of banking cybersecurity - protecting 125,000 customers’ financial data while maintaining the operations they depend on, satisfying federal regulators with strict timelines, and coordinating security across 45 distributed branches. Banking isn’t like other industries - customer trust is our most valuable asset, and cybersecurity incidents directly threaten that trust. You’ve demonstrated the thoughtful, customer-centered, compliance-aware approach we need. Our customers and our regulators deserve nothing less.”
Advanced Challenge Materials (150-170 min, 3 rounds)
Additional Complexity Layers
For experienced teams seeking maximum challenge, add these complexity elements:
1. Federal Banking Regulatory Complexity
Multi-Agency Oversight:
- Different regulators for different bank operations: FDIC (deposits), OCC (national banks), State banking authorities, CFPB (consumer protection)
- Each agency has different notification requirements, timelines, and enforcement priorities
- Compliance with GLBA (Gramm-Leach-Bliley Act), state breach notification laws, and banking-specific cybersecurity guidance
- Federal examiners can impose enforcement actions, fines, or increased oversight based on incident response
Implementation: Introduce realistic banking regulatory complexity where different agencies have competing requirements. Make players navigate FDIC, OCC, and state agency notifications with varying timelines. Create tension between regulatory compliance speed and investigation thoroughness.
2. Customer Trust and Account Closure Crisis
Customer Impact:
- During Round 1: Major customer (small business with $2M in accounts) threatens to move banking relationship due to security concerns
- During Round 2: Customer breach notification results in 5% immediate account closure rate in first 48 hours
- During Round 3: Local media investigation creates public relations crisis affecting new account acquisition
Business Consequences:
- Account closures reduce deposit base affecting bank’s lending capacity and profitability
- Lost customer relationships represent 10+ year lifetime value ($500-1,000 per customer)
- Reputational damage in local market where Community First Bank is established institution
- Competitor banks targeting Community First customers with “security-focused” marketing
Implementation: Introduce actual customer account closures and business relationship losses during scenario. Make players balance security thoroughness with customer communication and trust management. Create financial consequences beyond immediate incident response costs.
3. Multi-Branch Coordination Operational Complexity
Distributed Challenges:
- 45 branches have different IT systems, network configurations, and security baselines
- Branch managers have semi-autonomous decision-making authority and may resist central security mandates
- Some branches located in rural areas with limited IT support requiring on-site visits
- Branch employee security awareness varies significantly - some understand cybersecurity, many do not
Workflow Dependencies:
- USB audit drive rotation schedule is complex: drives visit specific branch sequences based on geographic routing
- Some branches share resources (staff, equipment) creating cross-contamination vectors beyond USB
- Month-end processing requires coordinated timing across all branches - delays at one location affect entire network
- Banking software updates and patches must be scheduled to avoid customer service disruptions
Implementation: Expand scenario to emphasize 45-branch distributed network complexity. Introduce branch manager resistance to security changes, geographic distance creating response delays, and workflow dependencies requiring careful coordination. Make players manage enterprise banking incident response with varying local conditions.
4. Core Banking System Vendor Dependencies
Vendor Constraints:
- Core banking system (Fiserv, Jack Henry, or similar) controls critical customer account infrastructure
- Vendor technical support required for any system-level changes or malware remediation
- Vendor response times vary: emergency support 4-hour minimum, standard support 48 hours
- Vendor contracts limit bank’s ability to have third-party (non-vendor) technicians access core systems
Vendor Communications:
- Vendor security team must approve all remediation approaches to maintain system warranty and support
- Vendor may require customer data breach notification to other financial institutions using same platform
- Vendor technical support costs $300/hour for emergency incident response
- Vendor may be managing similar incidents at other banks creating resource competition
Implementation: Make core banking vendor a critical stakeholder with significant control over remediation approaches. Introduce vendor approval requirements, response delays, and cost considerations. Create tension between bank’s desire for rapid response and vendor’s methodical approach.
5. Federal Banking Examiner Involvement
Examiner Oversight:
- Federal banking examiner scheduled quarterly review happens to coincide with incident (unfortunate timing)
- Examiner requests detailed incident briefing, remediation timeline, and cybersecurity program documentation
- Examiner has authority to impose enforcement actions, fines, or increased oversight based on findings
- Examiner evaluates incident response as part of overall bank safety and soundness assessment
Regulatory Scrutiny:
- Examiner questions whether bank had adequate cybersecurity controls before incident
- Examiner reviews historical audit findings to determine if previous security recommendations were ignored
- Examiner coordinates with other agencies (FDIC, state regulators) creating multi-agency investigation
- Examiner may require independent third-party assessment of security program post-incident
Implementation: Add federal banking examiner as active stakeholder during incident response. Introduce examiner requests that consume management time, examiner questions about historical security practices, and potential enforcement action concerns. Make players balance incident remediation with examiner relationship management.
6. Customer Data Forensics Complexity
Breach Determination Challenges:
- Forensic analysis cannot definitively determine if customer data was exfiltrated or just accessed
- USB drives used by multiple employees across branches - attribution of specific data exposure unclear
- Raspberry Robin command-and-control traffic observed but encrypted - contents unknown
- External forensics firm provides range estimate: “Between 85,000 and 125,000 customer records potentially compromised”
Notification Dilemma:
- Notify 85,000 customers (minimum estimate) risking under-notification if forensics later show 125,000?
- Notify 125,000 customers (maximum estimate) creating unnecessary alarm for 40,000 who weren’t affected?
- Federal regulations require “reasonable determination” of affected individuals - what’s reasonable with ambiguous forensics?
- Over-notification costs $5/customer (letters, call center) = $625,000 for maximum estimate
Implementation: Make customer breach determination genuinely ambiguous requiring difficult judgment calls with incomplete forensic evidence. Introduce notification strategy decisions with financial and regulatory consequences. Create pressure to notify quickly (federal 30-day timeline) versus investigating thoroughly (6-8 weeks for definitive forensics).
7. Local Media and Public Relations Crisis
Media Attention:
- Local news investigates “cybersecurity incident at Community First Bank affecting customer accounts”
- Competitors leak information to media to damage Community First’s reputation
- Consumer advocacy groups demand transparency about customer data protection
- Social media amplifies customer concerns creating viral negative publicity
PR Challenges:
- Customer service representatives lack information to answer customer calls during investigation
- Marketing team wants to issue public statement but legal counsel recommends saying nothing until breach determination
- Customers posting negative reviews online affecting new account acquisition
- Media requesting interviews with bank executives during active incident response
Implementation: Add media and public relations complexity alongside technical incident response. Introduce customer service pressure, legal/marketing conflicts, social media reputation damage, and executive communication demands. Make players balance transparent customer communication with legal/regulatory caution.
Advanced Challenge Round Structure
Round 1: Discovery Under Banking Constraints (45-50 min)
Players must investigate Raspberry Robin with: - Multi-agency federal regulatory requirements constraining disclosure and investigation approaches - Customer trust crisis with major account holder threatening to leave - 45-branch distributed network coordination challenges - Core banking vendor dependencies limiting investigation access and methods
Success requires: Balancing technical investigation with customer relationship preservation, navigating multi-agency regulatory landscape, coordinating across distributed branch network, working within core banking system vendor constraints.
Round 2: Response Under Financial Sector Complexity (45-50 min)
Players must develop response strategy while managing: - Federal banking examiner involvement and oversight during active incident - Customer data breach determination with forensic uncertainty - Multi-branch operational continuity during month-end processing - Vendor approval requirements and response timeline dependencies - Customer account closures and business relationship losses
Success requires: Financial sector-appropriate response balancing customer data protection, regulatory compliance, operational continuity, and business preservation. Multi-stakeholder management across customers, regulators, vendors, branches, and media. Creative problem-solving within banking regulatory and operational constraints.
Round 3: Resolution Under Banking Scrutiny (45-50 min)
Players must complete incident response while handling: - Customer breach notification strategy with forensic ambiguity - Federal examiner assessment and potential enforcement actions - Media relations and public reputation management - Long-term banking cybersecurity program development within vendor and regulatory constraints - Customer trust rebuilding and account retention initiatives
Success requires: Closure of complex banking incident addressing security, compliance, customer service, regulatory, reputational, and business dimensions. Strategic thinking about financial sector cybersecurity program evolution. Learning extraction about banking-specific security challenges and multi-stakeholder coordination.
Advanced Challenge Debriefing
Focus Areas:
1. Federal Regulatory Compliance Under Uncertainty:
- How did the team navigate multi-agency banking regulatory requirements with incomplete information?
- What decision frameworks balanced federal notification timelines with investigation thoroughness?
- Were they able to maintain productive examiner relationships while managing incident?
- How did they communicate incident details to regulators while investigation was ongoing?
2. Customer Trust and Reputation Management:
- How effectively did the team balance customer communication transparency with legal/regulatory caution?
- What strategies worked for customer retention during and after breach notification?
- Were they able to manage media relations while conducting incident response?
- How did they address customer service representative information needs during uncertainty?
3. Multi-Branch Distributed Network Response:
- How well did the team coordinate security response across 45 distributed branch locations?
- What approaches worked for branch manager stakeholder management and change adoption?
- Were they able to maintain banking operational continuity across distributed network during remediation?
- How did they address varying branch security baselines and IT capabilities?
4. Core Banking Vendor Partnership:
- How effectively did the team navigate vendor approval requirements and support dependencies?
- What communication strategies built productive vendor relationships during crisis?
- Were they able to balance vendor methodical approach with incident urgency?
- How did they manage vendor costs and contract constraints during emergency response?
5. Banking Cybersecurity Program Maturity:
- What specific capabilities or approaches are unique to financial sector cybersecurity?
- How should banks structure security programs given customer trust primacy and regulatory oversight?
- What role should branch employees play in banking cybersecurity awareness and incident response?
- How can banks build security resilience within vendor dependencies and regulatory compliance frameworks?
Victory Conditions (Advanced Challenge):